b"Audit of USAID/Washington\xe2\x80\x99s Classified\nAdministrative Support Service Contractors\n\nAudit Report Number 9-000-03-008-P\n\nSeptember 17, 2003\n\n\n\n\n      U.S. Agency for International Development\n                  Washington, D.C.\n\x0cSeptember 17, 2003\n\nMEMORANDUM\nFOR:          M/OP Director, Timothy T. Beans\n\nFROM:         IG/A/PA Director, Nathan S. Lokos /s/\n\nSUBJECT:      Audit of USAID/Washington\xe2\x80\x99s Classified Administrative\n              Support Service Contractors (Report No. 9-000-03-008-P)\n\nThis memorandum transmits our final report on the subject audit. In\nfinalizing the report, we considered your comments on our draft report and\nhave included your response as Appendix II.\n\nThe report contains one recommendation to improve contractor compliance\nrelated to security. In your written comments, you concurred with the\nrecommendation and identified planned actions to address our concerns.\nConsequently, we consider the recommendation to have received a\nmanagement decision. Information related to your final action on the\nrecommendation should be provided to USAID\xe2\x80\x99s Office of Management\nPlanning and Innovation.\n\nI want to express my sincere appreciation for the cooperation and courtesies\nextended to my staff during the audit.\n\x0cThis page intentionally left blank.\n\n\n\n\n                                      2\n\x0cTable of   Summary of Results                                             5\nContents   Background                                                     5\n\n           Audit Objective                                                6\n\n           Audit Findings:                                                6\n\n                  Did USAID/Washington ensure that selected\n                  classified contractors that provide administrative\n                  support services complied with security requirements?   6\n\n                         Office of Procurement Needs to Ensure\n                         Compliance With All Security Related\n                         Requirements of Contracts                        7\n\n           Management Comments and Our Evaluation                         9\n\n           Appendix I - Scope and Methodology                             11\n\n           Appendix II - Management Comments                              13\n\n\n\n\n                                                                               3\n\x0cThis page intentionally left blank.\n\n\n\n\n                                      4\n\x0cSummary of   Administrative support service contractors1 provide a wide variety of useful\nResults      services that play an important role in helping agencies to accomplish their\n             missions. An administrative support service contractor is a non-personal\n             service contractor2 who provides USAID/Washington offices with\n             administrative and technical support for USAID/Washington\xe2\x80\x99s administrative\n             and program related activities. (See page 5.)\n\n             As part of the Office of Inspector General's multi-year strategy for auditing\n             procurement activities, the Performance Audits Division of the Office of\n             Inspector General conducted this audit to determine whether\n             USAID/Washington ensured that selected classified contractors who provide\n             administrative support services complied with the security requirements of\n             their contracts. (See page 6.)\n\n             USAID generally ensured that selected classified contractors providing\n             administrative support services complied with security requirements.\n             However, the Office of Procurement lacked an adequate internal control\n             system to ensure that all contractors were complying with the security\n             requirements relating to visitation letters, termination letters, security training,\n             and the return of USAID building passes. (See pages 6 and 7.)\n\n             This report includes one recommendation to assist the Office of Procurement in\n             adopting practices to improve contractor compliance with the security\n             requirements for administrative support services contracts. (See page 9.)\n\n             The Office of Procurement concurred with the recommendation and described\n             planned actions to implement the recommendation. Based on the Office of\n             Procurement\xe2\x80\x99s written comments, we consider that a management decision has\n             been reached. Management\xe2\x80\x99s comments are included in their entirety in\n             Appendix II. (See page 9.)\n\n\n\nBackground   Administrative support service contractors provide a wide variety of useful\n             services that play an important role in helping agencies to accomplish their\n\n             1\n               A service contract is a contract that directly engages the time and effort of a contractor\n             whose primary purpose is to perform an identifiable task rather than to furnish an end item of\n             supply. A service contract may be either a non-personal or personal contract. It can also\n             cover services performed by either professional or nonprofessional personnel whether on an\n             individual or organizational basis. See Federal Acquisition Regulation 37, Subpart 37.1.\n             2\n              A non-personal services contractor is a contractor, who, while rendering the services, is not\n             subject, either by the contract term or by the manner of its administration to the supervision\n             and control usually prevailing in relationships between the Government and its employees.\n             See FAR 37, Subpart 37.1.\n\n\n\n                                                                                                         5\n\x0c                  missions. An administrative support service contractor is a non-personal\n                  service contractor who provides USAID/Washington offices with\n                  administrative and technical support for USAID/Washington\xe2\x80\x99s administrative\n                  and program related activities. Agencies use these contractors to acquire\n                  special knowledge and skills not available in the government, to obtain cost\n                  effective services, and to obtain temporary or intermittent services.\n\n                  Administrative support service contracts exist in many USAID bureaus and\n                  are designed to provide essential support for program activities. USAID\n                  reported that there were 116 of these contracts during fiscal year 2002 that\n                  were considered classified, which required security clearances. Referred to as\n                  institutional contracts, they provide contractor personnel who advise and assist\n                  in preparing, for example, project papers and internal reports. They also\n                  provide services such as secretarial and janitorial support and other\n                  administrative support for program-funded personnel, which can include\n                  planning and conducting conferences. Individuals performing work under\n                  these arrangements remain employees of their parent contractor organizations.\n\n\nAudit Objective   The Office of Inspector General's Performance Audits Division conducted this\n                  audit to answer the following audit objective:\n\n                  Did USAID/Washington ensure that selected classified contractors that\n                  provide administrative support services complied with security\n                  requirements?\n\n                  This audit was initiated for the following reasons: (1) USAID\xe2\x80\x99s increasing\n                  reliance on administrative support service contractors; (2) the Office of\n                  Inspector General\xe2\x80\x99s focus on USAID\xe2\x80\x99s awarding and administering contracts;\n                  and (3) the Office of Federal Procurement Policy Letter 93-1, \xe2\x80\x9cManagement\n                  Oversight of Service Contracting,\xe2\x80\x9d which encourages inspectors general to\n                  conduct assessments of agencies\xe2\x80\x99 use of support service contracts.\n\n                  Appendix I contains a complete discussion of the scope and methodology for the\n                  audit.\n\n\nAudit Findings    Did USAID/Washington ensure that selected classified contractors that\n                  provide administrative support services complied with security\n                  requirements?\n\n                  USAID/Washington generally ensured that selected classified contractors that\n                  provide administrative support services complied with security requirements.\n                  However, there were several instances of noncompliance with regards to four\n                  separate security requirements.\n\n\n\n                                                                                                6\n\x0cThe National Industrial Security Program3 requires all federal agencies to ensure\nthat their classified4 contractors maintain certain security standards and follow\nspecified procedures. For all tested classified contractors, USAID included the\nfederally mandated security related requirements in the contracts. As part of\nthese requirements, USAID completed the required DD Form 2545 for all\nsampled contracts. Additionally, all tested contractor employees in the sampled\ncontracts had signed the required Standard Form 3126.\n\nHowever, for the sampled contracts, there were several instances of\nnoncompliance concerning visitation letters, termination letters, security training,\nand the return of USAID building passes. These issues are discussed below.\n\nThe Office of Procurement Needs to Ensure Compliance\nWith All Security Related Requirements of Contracts\n\nThere were several instances of non-compliance with contractual security\nregulations. In five of the six contractors that we examined, out of a total of 116\nclassified contractors reported by USAID, there were noncompliance issues for\ncontractor employees concerning four separate security requirements. This\noccurred because the Office of Procurement did not have an adequate internal\ncontrol system to ensure contractor compliance. As a result, the strength of\nUSAID\xe2\x80\x99s otherwise well-designed security procedures relating to their classified\ncontractors was weakened.\n\nThe National Industrial Security Program requires all federal agencies to ensure\nthat their classified contractors maintain certain security standards and follow\nspecified procedures. USAID incorporated these requirements, as well as certain\nrequirements on DD Form 254, in all six of the contracts that we examined.\nThese procedures included, but were not limited to, the following:\n\n3\n  Executive Order 12829 (dated January 6, 1993) established a National Industrial Security\nProgram to safeguard federal government classified information that is released to\ncontractors. This program is applicable to all executive departments and agencies, and\nrequired the development of the \xe2\x80\x9cNational Industrial Security Program Operating Manual\xe2\x80\x9d\n(NISPOM), which prescribes requirements, restrictions and safeguards that are necessary to\nprotect classified information.\n4\n  Classified contractors are contractors that USAID has determined may have access to\nclassified information or classified areas of USAID, and, as a result, the contractor and their\nemployees need to have security clearances and follow procedures specified in the NISPOM.\n5\n  DD Form 254 entitled \xe2\x80\x9cContract Security Classification Specification\xe2\x80\x9d specifies the\nconditions for access to classified information under the contract.\n6\n  Standard Form 312 entitled \xe2\x80\x9cClassified Information Nondisclosure Agreement\xe2\x80\x9d prohibits\ncommunication or transmission of classified information to any unauthorized person or\norganization.\n\n\n\n                                                                                             7\n\x0c    \xe2\x80\xa2   The contractor must certify in writing in a visitation letter that the\n        contract employee has signed an SF 312 and received an initial security\n        briefing.\n\n    \xe2\x80\xa2   Upon termination from the contract, the contractor must submit a\n        termination letter, and immediately upon such termination, contractor\n        employees must return the USAID building pass to USAID.\n\n    \xe2\x80\xa2   The contractor shall provide all employees with security training and\n        briefings commensurate with their access to classified information.\n\nFederal Acquisition Regulations state that contracting officers are responsible for\nensuring compliance with the terms of the contracts. In fulfilling this\nresponsibility, contracting officers designate cognizant technical officers (CTO)\nto assist in ensuring general contract compliance. With respect to security\nrequirements, CTOs work with the USAID Office of Security in ensuring that all\ncontractor security requirements are met, which includes issuing and canceling\nbadges, as well as ensuring that classified contractors have the appropriate\nclearances before the badges are issued.\n\nA sample of six contractors was used to determine whether USAID/Washington\nensured that the contractors were complying with the above-mentioned\nrequirements. An examination of a sample of employees from each of the six\ncontractors indicated that five contractors did not comply to varying degrees\nwith four selected security requirements as shown in the table below.\n\n                            Testing Results for\n               Compliance with Selected Security Requirements\n     Description of\n Security Requirement                               Testing Results\nVisitation Letter         \xe2\x80\xa2   Five contractors submitted visitation letters for all tested\nSubmitted by Contractor       employees.\n                          \xe2\x80\xa2   One contractor did not submit a visitation letter for all tested\n                              employees.\nTermination Letter        \xe2\x80\xa2   Three contractors submitted termination letters for all tested\nSubmitted by Contractor       employees.\n                          \xe2\x80\xa2   Three contractors did not submit termination letters for all tested\n                              employees.\nContractor Provided       \xe2\x80\xa2   Two contractors provided training for all tested employees.\nRequired Security         \xe2\x80\xa2   One contractor relied on USAID to provide training to tested\nTraining                      employees, instead of providing its own training as required.\n                          \xe2\x80\xa2   Three contractors did not provide the required security training\n                              to tested employees\nEmployee Building         \xe2\x80\xa2   Two contractors returned building passes for all of tested\nPasses Returned to            employees.\nUSAID                     \xe2\x80\xa2   Four contractors did not return building passes for all tested\n\n\n\n\n                                                                                                8\n\x0c                                            employees.\n\n                 These instances of non-compliance arose because the Office of Procurement\xe2\x80\x99s\n                 internal control system was not adequate to ensure compliance with all security\n                 requirements for classified contractors. CTOs did not ensure that the contractor\n                 security officers were clearly aware of the detailed security requirements\n                 specified in their contracts and in DD Form 254. Upon further analysis, it was\n                 evident that the incidence of non-compliance was more prevalent in smaller\n                 contractors who, due to their size, did not have an experienced full-time security\n                 officer. CTOs also did not confirm that all required security documentation had\n                 been completed.\n\n                 As a result of this non-compliance, the security controls that USAID\xe2\x80\x99s Office of\n                 Security has put in place are weakened. Furthermore, these weakened controls\n                 could possibly increase the risk of a lapse in security relating to USAID\xe2\x80\x99s\n                 records, information or facilities. In order to improve the level of compliance\n                 with federal security requirements we have the following recommendation.\n\n                        Recommendation No. 1: We recommend that USAID's\n                        Office of Procurement, in coordination with the Office of\n                        Security, establish procedures to require classified\n                        contractors to comply with all security requirements of their\n                        respective administrative support services contracts.\n\n\n\n\nManagement       In its response to our draft report, the Office of Procurement concurred with our\nComments and     recommendation. To address the recommendation, M/OP will issue a General\nOur Evaluation   Notice and an annual reminder notice informing CTOs of their responsibilities\n                 related to classified contractors. Additionally, M/OP will revise its CTO\n                 appointment memorandums to include a section related to classified contractors,\n                 as well as include a security component in the CTO certification program.\n\n                 Based on the actions that M/OP has planned to address the recommendation, we\n                 concluded that a management decision has been reached. Information related to\n                 your final action on the recommendation should be provided to USAID\xe2\x80\x99s Office\n                 of Management Planning and Innovation.\n\n\n\n\n                                                                                                 9\n\x0cThis page intentionally left blank.\n\n\n\n\n                                      10\n\x0c                                                                                      Appendix I\n\nScope and     Scope\nMethodology\n              We audited USAID/Washington\xe2\x80\x99s compliance with selected regulations and\n              guidance relating to selected classified administrative support service\n              contractors (institutional contractors).      This audit was conducted in\n              accordance with generally accepted government auditing standards. We\n              conducted the audit fieldwork at USAID/Washington and at the offices of\n              selected contractors from October 9, 2002 to July 24, 2003. The audit scope was\n              limited to a review of selected classified contracts that were in effect in fiscal\n              year 2002 and that were providing services to USAID/Washington.\n\n              The scope of the audit included an examination of management controls\n              associated with contractor compliance with security related requirements as\n              specified in the contractors\xe2\x80\x99 individual contracts. We selected a judgmental\n              sample of six contracts out of a reported total of 116 classified contracts as of\n              October 2002.\n\n              Methodology\n\n              In order to gain an understanding of USAID/Washington\xe2\x80\x99s use of\n              administrative support service contractors, we held discussions with USAID\n              officials in the Office of Security, the Office of Procurement, and the Office\n              of Human Resources. In addition, we held discussions with various contract\n              officials of selected contractors.\n\n              Specifically, to assess management controls, we performed the following:\n\n              \xe2\x80\xa2       Reviewed relevant laws, regulations, guidance, and directives to gain a\n                      better understanding of the compliance issues relating to\n                      administrative support service contractors.\n\n              \xe2\x80\xa2       Interviewed cognizant technical officers and officials from the Office\n                      of Security to study and evaluate the Office of Procurement\xe2\x80\x99s internal\n                      control system for ensuring contractor compliance with security\n                      requirements.\n\n              \xe2\x80\xa2       Obtained and reviewed a listing of USAID's classified contractors\n                      providing administrative support services.\n\n              \xe2\x80\xa2       Reviewed a judgmental sample of individual contracts, DD Form\n                      254s, the Defense Central Investigative Index, and Standard Form\n                      312s.\n\n\n                                                                                             11\n\x0c\xe2\x80\xa2      Interviewed contractor facility security officers and examined\n       contractor employee records concerning visitation letters, termination\n       letters, training records, and the return of USAID building passes.\n\nWe set the materiality threshold for the audit at one contract with exceptions\nout of our total sample of six contracts. The audit results did not place any\nreliance on computer-generated data.\n\n\n\n\n                                                                           12\n\x0c                   This page intentionally left blank.        Appendix II\n\n\nManagement\nComments\n                                        August 27, 2003\n\n\nMEMORANDUM\n\nFOR:         IG/A/PA., Mr. Nathan Lokos\n\nFROM:        M/OP Director, Timothy T. Beans /s/\n\nSUBJECT:     M/OP Response to USAID/Washington's Classified\n             Administrative Support Service Contractors\n             (Report No. 9-000-03-00X-P)\n\n\nUnder subject report, a recommendation was put forth recommending\nthat USAID's Office of Procurement, in coordination with the Office\nof Security, establish procedures to require classified contractors\nto comply with all security requirements of their respective\nadministrative support service contracts.\n\nThe Office of Procurement concurs with this recommendation and has\ntasked its Office of Procurement Policy Division (M/OP/P) to\ncoordinate with the Office of Security to issue a General Notice\nand an annual reminder notice informing the Agency's Cognizant\nTechnical Officials (CTOs) of their responsibilities related to\nclassified contractors. This General Notice is expected to be\nissued within 30 days.\n\nIn addition, M/OP/P will revise its CTO appointment memorandums to\ninclude a section related to the CTO's role related to classified\ncontractors and coordinate with the Office of Human Resources,\nLearning Support Division to include a component in their CTO\ncertification program related to CTO security oversight\nresponsibilities. These actions are expected to be completed\nwithin 90 days.\n\n\n\n\n                                                                      13\n\x0cThis page intentionally left blank.\n\n                                      Appendix II\n\n\n\n\n                                              14\n\x0c"